Verifying passwords by the way they're typed
There are good passwords and bad passwords, but none of them are totally secure. Researchers at the American University of Beirut, Lebanon, are working on strengthening an approach to password security that's not just about what you type, but how you type it.
Ravel Jabbour, Wes Masri and Ali El-Hajj of the American University of Beirut have developed software that aims to improve upon past attempts at linking password authentication to the the speed and rhythm of the user's keystrokes, a method called key-pattern analysis (KPA).
Instead of just measuring the time-lapse between keystrokes, the researchers also measure how long each key remains depressed. They argue that this extra parameter of "intra" timing significantly boosts reliable authentication and improves the overall KPA approach.
Modified keyboards that measure keystroke pressure represent another avenue for, but this approach works on a standard keyboard. It would work like this:
It's a bit of a double-edged sword because the longer and more complex the password, the harder it is to repeatedly type it in with the same rhythm. The researchers acknowledge the trade-off - it's a matter of finding a "sweet spot" between length and reliable typing. I know that if I had a choice between a longer password and a system that stopped someone with my password written down in front of them from gaining access, I'd choose the latter.
The researchers say they have also integrated secure "group" functionality into the system to cater for another possible drawback - the ability to share passwords when you do want someone else to have log-in access.
The Paper "Optimising password security through key-pattern analysis" is published in the International Journal of Internet Technology and Secured Transactions.
Please keep comments to less than 150 words. No abusive material or spam will be published.
KEYSTROKE LOGGERS are unable to duplicate the signature of the individual... True, if you cut your hand, are impaired , you may not get on, but there are always overides that an individual can produce, if they are so inclined.
Also I think you\'d need a custom keyboard to extract the information and report it to the main application. It looks like this would only be used inside high cost, high security installations.